US8745394B1 - Methods and systems for secure electronic communication - Google Patents

Methods and systems for secure electronic communication Download PDF

Info

Publication number
US8745394B1
US8745394B1 US13/973,173 US201313973173A US8745394B1 US 8745394 B1 US8745394 B1 US 8745394B1 US 201313973173 A US201313973173 A US 201313973173A US 8745394 B1 US8745394 B1 US 8745394B1
Authority
US
United States
Prior art keywords
client application
public
private key
user
key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
US13/973,173
Inventor
Syed Rahat
Wayne Browning
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Citibank NA
Original Assignee
Citibank NA
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Citibank NA filed Critical Citibank NA
Priority to US13/973,173 priority Critical patent/US8745394B1/en
Assigned to CITIBANK, N.A. reassignment CITIBANK, N.A. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: RAHAT, SYED, BROWNING, WAYNE
Application granted granted Critical
Publication of US8745394B1 publication Critical patent/US8745394B1/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0825Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0884Network architectures or network communication protocols for network security for authentication of entities by delegation of authentication, e.g. a proxy authenticates an entity to be authenticated on behalf of this entity vis-à-vis an authentication entity

Definitions

  • the present invention relates generally to the field of electronic communication, and more particularly to methods and systems for secure electronic communication, such as secure electronic communication between a user's mobile device and a backend server.
  • a client application for example, on a mobile device processor, sends a communication to a processor of a backend server
  • the client application may sign the communication with its Public Key Infrastructure (PKI) private encryption key.
  • PKI Public Key Infrastructure
  • the communication may then travel from the client application to the processor of the backend server encrypted with the private key of the client application.
  • the purpose of the private key which may be presumed to be known only to the client application, is to enable the backend server to confirm that the communication actually came from the client application and not from an unauthorized party.
  • the private key of the client application may be vulnerable to compromise, for example, where it is stored on the client device, as well as in the transmission to the backend server.
  • SSL Secure Sockets Layer
  • Embodiments of the invention employ computer hardware and software, including, without limitation, one or more processors coupled to memory and non-transitory, computer-readable storage media with one or more executable computer application programs stored thereon which instruct the processors to perform the methods and systems for secure electronic communication described herein.
  • Such methods and systems may involve, for example, receiving, using a server processor coupled to memory, a request message from a user's communication device processor consisting at least in part of a session key encrypted with a public key of a public/private key pair without sending a private key of the public/private key pair to, or storing the private key on, the user's communication device; decrypting, using the server processor, the request message with a private key of the public/private key pair and retrieving the decrypted session key from the decrypted request message; generating, using the server processor, a response message and encrypting the response message with the retrieved session key; and sending, using the server processor, the session key-encrypted response message to the user's communication device processor.
  • receiving the request message may involve, for example, receiving the request message from the user's communication device processor consisting at least in part of the session key and user authentication credentials encrypted with the public key of the public/private key pair.
  • receiving the request message may involve, for example receiving the request message from the user's communication device processor consisting at least in part of the session key and a user password encrypted with the public key of the public/private key pair.
  • receiving the request message may involve, for example, receiving the request message consisting at least in part of the session key appended with the user password and encrypted with the public key of the public/private key pair.
  • receiving the request message consisting at least in part of the session key encrypted with the public key may involve, for example, receiving the request message consisting at least in part of the session key generated by a client application on the user's communication device processor and encrypted with the public key of the public/private key pair.
  • receiving the request message consisting at least in part of the session key generated by the client application and encrypted with the public key of the public/private key pair may involve, for example, receiving the request message consisting at least in part of the session key generated by the client application on the user's communication device processor and encrypted with the public key of the public/private key pair of the server.
  • receiving the request message consisting at least in part of the session key generated by the client application and encrypted with the public key of the public/private key pair may involve, for example, receiving the request message consisting at least in part of the session key generated by the client application on the user's communication device processor and encrypted with the public key of the public/private key pair of the client application.
  • receiving the request message consisting at least in part of the session key generated by the client application and encrypted with the public key of the public/private key pair of the client application may involve, for example, generating and storing a public/private key pair of the client application by the server processor without sending the client application private key of the generated public/private key pair to the user's communication device.
  • receiving the request message consisting at least in part of the session key generated by the client application and encrypted with the public key of the public/private key pair may involve, for example, receiving the request message consisting at least in part of a session-specific random number generated by the client application on the user's communication device processor and encrypted with the public key of the public/private key.
  • receiving the request message consisting at least in part of the session-specific random number generated by the client application on the user's communication device processor and encrypted with the public key of the public/private key pair may involve, for example, receiving the request message consisting at least in part of a 128-bit session-specific random number generated by the client application on the user's communication device processor and encrypted with the public key of the public/private key pair.
  • receiving the request message may involve, for example, receiving the request message from the user's communication device processor consisting at least in part of a session key and a login request encrypted with the public key of a public/private key pair.
  • decrypting the request message with the private key may involve, for example, decrypting the request message with the private key of the public/private key pair of the server.
  • decrypting the request message with the private key of the public/private key pair of the server may involve, for example, generating a client application public/private key pair and storing the a client application public/private key pair without sending a client application private key to, or storing the client application private key on, the user's communication device.
  • storing the a user's public/private key pair may involve, for example, storing the client application public/private key pair on a hardware security module without sending the client application private key of the public/private key pair to, or storing the client application private key on, the user's communication device.
  • decrypting the request message with the private key of public/private key pair may involve, for example, decrypting the request message with the private key of a public/private key pair of a client application on the user's communication device processor.
  • retrieving the decrypted session key from the decrypted request message may involve, for example, retrieving the decrypted session key that was generated by a client application on the user's communication device processor and encrypted with the public key of the public/private key pair.
  • generating and encrypting the response message may involve, for example, generating a log-in response message and encrypting the log-in response message with the retrieved session key.
  • sending the session key-encrypted response message may involve, for example, sending the session key-encrypted response message to a client application on the processor of the user's communication device encrypted with the session key generated and stored by the client application in volatile memory on the user's communication device.
  • FIG. 1 is a schematic diagram that illustrates an overview example of key components and the flow of information between key components for embodiments of the invention
  • FIG. 2 is a flow diagram that illustrates an example of securely communicating and storing the user's password on the backend server for embodiments of the invention
  • FIG. 3 is flow diagram that illustrates an example of a process of secure communication between a client application processor and a backend server processor for embodiments of the invention.
  • FIG. 4 is a flow chart that illustrates an overview example of secure electronic communication for embodiments of the invention.
  • Embodiments of the invention utilize one or more special purpose computer software application program processes, each of which is tangibly embodied in a physical storage device executable on one or more physical computer hardware machines, and each of which is executing on one or more of the physical computer hardware machines (each, a “computer program software application process”).
  • Physical computer hardware machines employed in embodiments of the invention comprise, for example, input/output devices, motherboards, processors, logic circuits, memory, data storage, hard drives, network connections, monitors, and power supplies.
  • Such physical computer hardware machines include, for example, user machines and server machines that may be coupled to one another via a network, such as a local area network, a wide area network, or a global network through telecommunications channels which may include wired or wireless devices and systems.
  • Embodiments of the invention provide methods and systems for secure electronic communication that protect communications originating, for example, from mobile applications running on users' communication devices, such as users' mobile devices, that are sent to processors of backend servers and provide confidentiality, non-repudiation and integrity checks for such communications without storing a private key locally in the mobile applications on the mobile devices.
  • FIG. 1 is a schematic diagram that illustrates an overview example of key components and the flow of information between key components for embodiments of the invention.
  • key components for embodiments of the invention may include, without limitation, a user's communication device processor 100 coupled over a network 102 to a server processor 104 .
  • the user's communication device processor 100 may include, without limitation, the processor of any type of wired or wireless communication device that enables communication electronically.
  • the network 102 may include, without limitation, any type of wired or wireless network.
  • the server processor 104 may include, without limitation, the processor of any type of computing device that interfaces with the user's communication device processor 100 .
  • the hardware security module 106 coupled to the server processor 104 may include, without limitation, a physical computing device for securely storing digital keys for strong authentication.
  • a communication between the client application on the user's communication device processor 100 and the processor of a backend server 104 is not, for example, automatically initiated by the client application using the stored private key of the client application, as is done in the current process.
  • the user may first enter a user name and password on the client application, which may be referred to as an integrity check.
  • the client application may generate a random number that is session-specific. In other words, a new random number may be generated every time there is a new session between the client application on the user's communication device processor 100 and the server processor 104 .
  • the client application-generated random number may be encrypted with a public key, such as the public key of the client application on the user's communication device 100 , and sent, along with the communication from the client application, to the backend server processor 104 .
  • the backend server 104 may decrypt the communication and confirm that the communication was received from the client application on the user's communication device 100 .
  • the private key of the client application need not be stored on the client device or transmitted with the communication from the client application to the backend server 104 as would have been done in a standard PKI process. Therefore, an unauthorized party who attempts to steal the private key of the client application, for example, by breaching the client device 100 or by intercepting the encrypted communication is unsuccessful. Further, a possible breach of security caused by key compromise in local secure storage, such as a secure element of a mobile device, is thereby minimized or eliminated.
  • Embodiments of the invention may involve, for example, packaging a mobile application with a public key of an entity, such as a financial institution or other business entity. Thereafter, the mobile application may be downloaded to a user's mobile device processor 100 , for example, from an app store or from a private hosting site or an entity website or from any other suitable source.
  • a unique private/public key pair for each mobile user may be generated in advance and stored by the entity's backend server 104 .
  • a hash value of the mobile application binaries may likewise be generated in advance and similarly stored by the backend server 104 .
  • the unique private key for each mobile user may be securely stored in the backend system 104 in advance.
  • the mobile application 100 may be capable of generating a hash value of its binaries at the mobile application 100 at run time. The corresponding hash value of the mobile application 100 may also stored in the backend system 104 .
  • the user's mobile application 100 may have the unique public key for the particular user in advance.
  • FIG. 2 is a flow diagram that illustrates an example of securely communicating and storing the user's password on the backend server 104 for embodiments of the invention.
  • the user may create a user password after registration, and the mobile client application 100 may generate a secure 128-bit random number as a session key. Thereafter, the client application 100 may append the user's password to the random number, encrypt the string with a public key, such as the entity's public key, and send the encrypted string to the processor of the backend server 104 .
  • a public key such as the entity's public key
  • the processor of the backend server 104 may decrypt the encrypted string with the entity's private key, create a private/public key pair unique to the user, and store the user's unique key pair in the hardware security module (HSM) 106 .
  • HSM hardware security module
  • the processor of the backend server 104 may generate a secure 128-bit random number, append the user's public key, encrypt the string with the session key, and send the encrypted string to the user's mobile application 100 .
  • the user's mobile application 100 may decrypt the encrypted string with the session key and store the user's public key, for example, in a keystore on the mobile device.
  • the user may enter his or her user name and password on the client application 100 .
  • the mobile application 100 may generate a new session key, such as a new session-specific 128-bit random number, append the user's password to the random number, encrypt the string with the user's public key, and send the encrypted string to the processor of the backend server 104 .
  • FIG. 3 is flow diagram that illustrates an example of a process of secure communication between a client application 100 and a backend server processor 104 for embodiments of the invention.
  • a user may perform a function, such as a login, with the user's mobile application 100 , such as a mobile wallet, that requires communication with a backend server 104 .
  • the present example is a user login, it is to be understood that the process may be the same or similar for any other secure interaction between a mobile application 100 on the user's mobile device and a backend server 104 .
  • the user's mobile application 100 may generate and temporarily store a random number, such as a 128-bit random number, in volatile memory of the user's mobile device.
  • the 128-bit random number may be used as a session key for the succeeding communication between the user's mobile application and the backend system 104 .
  • the mobile application 100 may create a login request for the backend system 104 by combining the session key plus a request payload plus an application hash, encrypt the combination with the user's public key, and send the encrypted request to the backend system 104 .
  • the processor of the backend server 104 may decrypt the encrypted request with the user's previously stored private key.
  • the processor of the backend server 104 may retrieve the session key from the decrypted request and perform the requested operation.
  • the requested operation may involve authentication of the user's credentials.
  • the decrypted login request may include, for example, a user's login ID or user name and the user's password.
  • the processor of the backend server 104 may perform the login operation. Thereafter, the processor of the backend server 104 may generate and encrypt a response using the session key retrieved from the decrypted request and send the encrypted response to the user's mobile application 100 .
  • the user's mobile application 100 may retrieve the session key previously stored in the user's mobile device memory and decrypt the encrypted response with the retrieved session key.
  • the mobile application 100 may encrypt a request with the user's public key and send the encrypted request to the processor of the backend server 104 .
  • the logic may be similar to the logic employed, for example, at 301 through 303 as shown in FIG. 3 , in which a request is encrypted by the mobile application 100 using the user's public key, and the encrypted request is sent by the mobile application 100 to the processor of the backend server 104 .
  • FIG. 4 is a flow chart that illustrates an overview example of secure electronic communication for embodiments of the invention.
  • a request message may be received from a user's communication device processor 100 consisting at least in part of a session key encrypted with a public key of a public/private key pair without sending a private key of the public/private key pair to, or storing the private key on, the user's communication device 100 .
  • the request message may be decrypted with a private key of the public/private key pair and the decrypted session key may be retrieved from the decrypted request message.
  • a response message may be generated and encrypted with the retrieved session key, and at 404 , the session key-encrypted response message may be sent to the user's communication device processor 100 similarly using the server processor 104 .
  • embodiments of the invention may be implemented as processes of a computer program product, each process of which is operable on one or more processors either alone on a single physical platform, such as a personal computer, or across a plurality of platforms, such as a system or network, including networks such as the Internet, an intranet, a Wide Area Network (WAN), a Local Area Network (LAN), a cellular network, or any other suitable network.
  • WAN Wide Area Network
  • LAN Local Area Network
  • cellular network or any other suitable network.
  • Embodiments of the invention may employ client devices that may each comprise a computer-readable medium, including but not limited to, Random Access Memory (RAM) coupled to a processor.
  • the processor may execute computer-executable program instructions stored in memory.
  • processors may include, but are not limited to, a microprocessor, an Application Specific Integrated Circuit (ASIC), and or state machines.
  • ASIC Application Specific Integrated Circuit
  • Such processors may comprise, or may be in communication with, media, such as computer-readable media, which stores instructions that, when executed by the processor, cause the processor to perform one or more of the steps described herein.
  • Such computer-readable media may include, but are not limited to, electronic, optical, magnetic, RFID, or other storage or transmission device capable of providing a processor with computer-readable instructions.
  • suitable media include, but are not limited to, CD-ROM, DVD, magnetic disk, memory chip, ROM, RAM, ASIC, a configured processor, optical media, magnetic media, or any other suitable medium from which a computer processor can read instructions.
  • Embodiments of the invention may employ other forms of such computer-readable media to transmit or carry instructions to a computer, including a router, private or public network, or other transmission device or channel, both wired or wireless.
  • Such instructions may comprise code from any suitable computer programming language including, without limitation, C, C++, C#, Visual Basic, Java, Python, Perl, and JavaScript.
  • client devices may also comprise a number of external or internal devices, such as a mouse, a CD-ROM, DVD, keyboard, display, or other input or output devices.
  • client devices may be any suitable type of processor-based platform that is connected to a network and that interacts with one or more application programs and may operate on any suitable operating system.
  • Server devices may also be coupled to the network and, similarly to client devices, such server devices may comprise a processor coupled to a computer-readable medium, such as a RAM.
  • server devices which may be a single computer system, may also be implemented as a network of computer processors. Examples of such server devices are servers, mainframe computers, networked computers, a processor-based device, and similar types of systems and devices.

Abstract

Methods and systems for secure electronic communication involve, for example, using a processor coupled to memory to receive a request message from a user's communication device processor including a session key encrypted with a public key of a public/private key pair without sending a private key of the public/private key pair to, or storing the private key on, the user's communication device. Using the processor, the request message is decrypted with a private key of the public/private key pair and the session key is retrieved from the decrypted request message. Thereafter, also using the processor, a response message is generated and encrypted with the retrieved session key and sent to the user's communication device processor.

Description

FIELD OF THE INVENTION
The present invention relates generally to the field of electronic communication, and more particularly to methods and systems for secure electronic communication, such as secure electronic communication between a user's mobile device and a backend server.
BACKGROUND OF THE INVENTION
Typically, when a client application, for example, on a mobile device processor, sends a communication to a processor of a backend server, the client application may sign the communication with its Public Key Infrastructure (PKI) private encryption key. The communication may then travel from the client application to the processor of the backend server encrypted with the private key of the client application. The purpose of the private key, which may be presumed to be known only to the client application, is to enable the backend server to confirm that the communication actually came from the client application and not from an unauthorized party. Currently, the private key of the client application may be vulnerable to compromise, for example, where it is stored on the client device, as well as in the transmission to the backend server.
The commonly-used Secure Sockets Layer (SSL) security protocol is not sufficiently secure for securing authentication credentials, such as a user's password and/or a device fingerprint, between a mobile client application and a backend serve, because of the possibility of compromise. There is presently no known solution that can provide payload encryption, non-repudiation and an integrity check for messages exchanged between mobile applications and backend systems without storing private keys in the mobile application on a device, such as a mobile phone, which makes the private key vulnerable to compromise.
There is a current need for methods and systems for secure electronic communication that secure all sensitive information including authentication credentials, such as user passwords and device fingerprints, by assuring that all communications between a mobile device application and a processor of a backend server are payload encrypted.
SUMMARY OF THE INVENTION
Embodiments of the invention employ computer hardware and software, including, without limitation, one or more processors coupled to memory and non-transitory, computer-readable storage media with one or more executable computer application programs stored thereon which instruct the processors to perform the methods and systems for secure electronic communication described herein. Such methods and systems that may involve, for example, receiving, using a server processor coupled to memory, a request message from a user's communication device processor consisting at least in part of a session key encrypted with a public key of a public/private key pair without sending a private key of the public/private key pair to, or storing the private key on, the user's communication device; decrypting, using the server processor, the request message with a private key of the public/private key pair and retrieving the decrypted session key from the decrypted request message; generating, using the server processor, a response message and encrypting the response message with the retrieved session key; and sending, using the server processor, the session key-encrypted response message to the user's communication device processor.
In aspects of embodiments of the invention, receiving the request message may involve, for example, receiving the request message from the user's communication device processor consisting at least in part of the session key and user authentication credentials encrypted with the public key of the public/private key pair. In other aspects, receiving the request message may involve, for example receiving the request message from the user's communication device processor consisting at least in part of the session key and a user password encrypted with the public key of the public/private key pair. In further aspects, receiving the request message may involve, for example, receiving the request message consisting at least in part of the session key appended with the user password and encrypted with the public key of the public/private key pair.
In further aspects of embodiments of the invention, receiving the request message consisting at least in part of the session key encrypted with the public key may involve, for example, receiving the request message consisting at least in part of the session key generated by a client application on the user's communication device processor and encrypted with the public key of the public/private key pair. In still further aspects, receiving the request message consisting at least in part of the session key generated by the client application and encrypted with the public key of the public/private key pair may involve, for example, receiving the request message consisting at least in part of the session key generated by the client application on the user's communication device processor and encrypted with the public key of the public/private key pair of the server.
In other aspects of embodiments of the invention, receiving the request message consisting at least in part of the session key generated by the client application and encrypted with the public key of the public/private key pair may involve, for example, receiving the request message consisting at least in part of the session key generated by the client application on the user's communication device processor and encrypted with the public key of the public/private key pair of the client application. In additional aspects, receiving the request message consisting at least in part of the session key generated by the client application and encrypted with the public key of the public/private key pair of the client application may involve, for example, generating and storing a public/private key pair of the client application by the server processor without sending the client application private key of the generated public/private key pair to the user's communication device.
In additional aspects of embodiments of the invention, receiving the request message consisting at least in part of the session key generated by the client application and encrypted with the public key of the public/private key pair may involve, for example, receiving the request message consisting at least in part of a session-specific random number generated by the client application on the user's communication device processor and encrypted with the public key of the public/private key. In further aspects, receiving the request message consisting at least in part of the session-specific random number generated by the client application on the user's communication device processor and encrypted with the public key of the public/private key pair may involve, for example, receiving the request message consisting at least in part of a 128-bit session-specific random number generated by the client application on the user's communication device processor and encrypted with the public key of the public/private key pair. In other aspects receiving the request message, may involve, for example, receiving the request message from the user's communication device processor consisting at least in part of a session key and a login request encrypted with the public key of a public/private key pair.
In other aspects of embodiments of the invention, decrypting the request message with the private key may involve, for example, decrypting the request message with the private key of the public/private key pair of the server. In additional aspects, decrypting the request message with the private key of the public/private key pair of the server may involve, for example, generating a client application public/private key pair and storing the a client application public/private key pair without sending a client application private key to, or storing the client application private key on, the user's communication device. In further aspects, storing the a user's public/private key pair may involve, for example, storing the client application public/private key pair on a hardware security module without sending the client application private key of the public/private key pair to, or storing the client application private key on, the user's communication device.
In still other aspects of embodiments of the invention, decrypting the request message with the private key of public/private key pair may involve, for example, decrypting the request message with the private key of a public/private key pair of a client application on the user's communication device processor. In still further aspects, retrieving the decrypted session key from the decrypted request message may involve, for example, retrieving the decrypted session key that was generated by a client application on the user's communication device processor and encrypted with the public key of the public/private key pair. In further aspects, generating and encrypting the response message may involve, for example, generating a log-in response message and encrypting the log-in response message with the retrieved session key. In additional aspects, sending the session key-encrypted response message may involve, for example, sending the session key-encrypted response message to a client application on the processor of the user's communication device encrypted with the session key generated and stored by the client application in volatile memory on the user's communication device.
These and other aspects of the invention will be set forth in part in the description which follows and in part will become more apparent to those skilled in the art upon examination of the following or may be learned from practice of the invention. It is intended that all such aspects are to be included within this description, are to be within the scope of the present invention, and are to be protected by the accompanying claims.
BRIEF DESCRIPTION OF THE DRAWINGS
FIG. 1 is a schematic diagram that illustrates an overview example of key components and the flow of information between key components for embodiments of the invention;
FIG. 2 is a flow diagram that illustrates an example of securely communicating and storing the user's password on the backend server for embodiments of the invention;
FIG. 3 is flow diagram that illustrates an example of a process of secure communication between a client application processor and a backend server processor for embodiments of the invention; and
FIG. 4 is a flow chart that illustrates an overview example of secure electronic communication for embodiments of the invention.
DETAILED DESCRIPTION
Reference will now be made in detail to embodiments of the invention, one or more examples of which are illustrated in the accompanying drawings. Each example is provided by way of explanation of the invention, not as a limitation of the invention. It will be apparent to those skilled in the art that various modifications and variations can be made in the present invention without departing from the scope or spirit of the invention. For example, features illustrated or described as part of one embodiment can be used in another embodiment to yield a still further embodiment. Thus, it is intended that the present invention cover such modifications and variations that come within the scope of the invention.
Embodiments of the invention utilize one or more special purpose computer software application program processes, each of which is tangibly embodied in a physical storage device executable on one or more physical computer hardware machines, and each of which is executing on one or more of the physical computer hardware machines (each, a “computer program software application process”). Physical computer hardware machines employed in embodiments of the invention comprise, for example, input/output devices, motherboards, processors, logic circuits, memory, data storage, hard drives, network connections, monitors, and power supplies. Such physical computer hardware machines include, for example, user machines and server machines that may be coupled to one another via a network, such as a local area network, a wide area network, or a global network through telecommunications channels which may include wired or wireless devices and systems.
Embodiments of the invention provide methods and systems for secure electronic communication that protect communications originating, for example, from mobile applications running on users' communication devices, such as users' mobile devices, that are sent to processors of backend servers and provide confidentiality, non-repudiation and integrity checks for such communications without storing a private key locally in the mobile applications on the mobile devices.
FIG. 1 is a schematic diagram that illustrates an overview example of key components and the flow of information between key components for embodiments of the invention. Referring to FIG. 1, key components for embodiments of the invention may include, without limitation, a user's communication device processor 100 coupled over a network 102 to a server processor 104. The user's communication device processor 100 may include, without limitation, the processor of any type of wired or wireless communication device that enables communication electronically.
Referring further to FIG. 1, the network 102 may include, without limitation, any type of wired or wireless network. The server processor 104 may include, without limitation, the processor of any type of computing device that interfaces with the user's communication device processor 100. The hardware security module 106 coupled to the server processor 104 may include, without limitation, a physical computing device for securely storing digital keys for strong authentication.
In embodiments of the invention, a communication between the client application on the user's communication device processor 100 and the processor of a backend server 104 is not, for example, automatically initiated by the client application using the stored private key of the client application, as is done in the current process. Instead, the user may first enter a user name and password on the client application, which may be referred to as an integrity check. When the user name and password are verified by the client application, the client application may generate a random number that is session-specific. In other words, a new random number may be generated every time there is a new session between the client application on the user's communication device processor 100 and the server processor 104.
In embodiments of the invention, the client application-generated random number may be encrypted with a public key, such as the public key of the client application on the user's communication device 100, and sent, along with the communication from the client application, to the backend server processor 104. Using the private key of the client application, which was previously stored by the backend server 104, the backend server 104 may decrypt the communication and confirm that the communication was received from the client application on the user's communication device 100.
Thus, in embodiments of the invention, the private key of the client application need not be stored on the client device or transmitted with the communication from the client application to the backend server 104 as would have been done in a standard PKI process. Therefore, an unauthorized party who attempts to steal the private key of the client application, for example, by breaching the client device 100 or by intercepting the encrypted communication is unsuccessful. Further, a possible breach of security caused by key compromise in local secure storage, such as a secure element of a mobile device, is thereby minimized or eliminated.
Embodiments of the invention may involve, for example, packaging a mobile application with a public key of an entity, such as a financial institution or other business entity. Thereafter, the mobile application may be downloaded to a user's mobile device processor 100, for example, from an app store or from a private hosting site or an entity website or from any other suitable source. In addition, a unique private/public key pair for each mobile user may be generated in advance and stored by the entity's backend server 104. Likewise, a hash value of the mobile application binaries may likewise be generated in advance and similarly stored by the backend server 104.
In embodiments of the invention, the unique private key for each mobile user, together with the hash of the user's mobile application and the user's personal identification number (PIN) and password may be securely stored in the backend system 104 in advance. Further, the mobile application 100 may be capable of generating a hash value of its binaries at the mobile application 100 at run time. The corresponding hash value of the mobile application 100 may also stored in the backend system 104. In addition, the user's mobile application 100 may have the unique public key for the particular user in advance.
FIG. 2 is a flow diagram that illustrates an example of securely communicating and storing the user's password on the backend server 104 for embodiments of the invention. Referring to FIG. 2, at 201, the user may create a user password after registration, and the mobile client application 100 may generate a secure 128-bit random number as a session key. Thereafter, the client application 100 may append the user's password to the random number, encrypt the string with a public key, such as the entity's public key, and send the encrypted string to the processor of the backend server 104.
Referring further to FIG. 2, at 202, upon receiving the encrypted string from the mobile application 100, the processor of the backend server 104 may decrypt the encrypted string with the entity's private key, create a private/public key pair unique to the user, and store the user's unique key pair in the hardware security module (HSM) 106. At 203, the processor of the backend server 104 may generate a secure 128-bit random number, append the user's public key, encrypt the string with the session key, and send the encrypted string to the user's mobile application 100.
At 204, upon receiving the encrypted string, the user's mobile application 100 may decrypt the encrypted string with the session key and store the user's public key, for example, in a keystore on the mobile device. At 205, on a succeeding occasion, the user may enter his or her user name and password on the client application 100. Upon verifying the user name and password, the mobile application 100 may generate a new session key, such as a new session-specific 128-bit random number, append the user's password to the random number, encrypt the string with the user's public key, and send the encrypted string to the processor of the backend server 104.
FIG. 3 is flow diagram that illustrates an example of a process of secure communication between a client application 100 and a backend server processor 104 for embodiments of the invention. Referring to FIG. 3, at 301 a user may perform a function, such as a login, with the user's mobile application 100, such as a mobile wallet, that requires communication with a backend server 104. While the present example is a user login, it is to be understood that the process may be the same or similar for any other secure interaction between a mobile application 100 on the user's mobile device and a backend server 104.
Referring again to FIG. 3, also at 301, the user's mobile application 100 may generate and temporarily store a random number, such as a 128-bit random number, in volatile memory of the user's mobile device. The 128-bit random number may be used as a session key for the succeeding communication between the user's mobile application and the backend system 104. In addition, at 301, the mobile application 100 may create a login request for the backend system 104 by combining the session key plus a request payload plus an application hash, encrypt the combination with the user's public key, and send the encrypted request to the backend system 104.
Referring further to FIG. 3, at 302, upon receiving the encrypted request from the mobile application 100, the processor of the backend server 104 may decrypt the encrypted request with the user's previously stored private key. In addition, the processor of the backend server 104 may retrieve the session key from the decrypted request and perform the requested operation. In the login example, the requested operation may involve authentication of the user's credentials. Thus, the decrypted login request may include, for example, a user's login ID or user name and the user's password.
Referring again to FIG. 3, also at 302, after checking and confirming that the user name and password matches the user name and user password previously stored for the user by the backend server 104, the processor of the backend server 104 may perform the login operation. Thereafter, the processor of the backend server 104 may generate and encrypt a response using the session key retrieved from the decrypted request and send the encrypted response to the user's mobile application 100.
Referring once more to FIG. 3, at 303, upon receiving the encrypted response from the backend server 104, the user's mobile application 100 may retrieve the session key previously stored in the user's mobile device memory and decrypt the encrypted response with the retrieved session key. At 304, for a further communication from the client application to the processor of the backend server 104 within the same active session, the mobile application 100 may encrypt a request with the user's public key and send the encrypted request to the processor of the backend server 104.
Thereafter, for all ongoing communication between mobile application 100 and the processor of the backend server 104 in the same active session, the logic may be similar to the logic employed, for example, at 301 through 303 as shown in FIG. 3, in which a request is encrypted by the mobile application 100 using the user's public key, and the encrypted request is sent by the mobile application 100 to the processor of the backend server 104.
FIG. 4 is a flow chart that illustrates an overview example of secure electronic communication for embodiments of the invention. Referring to FIG. 4, at 401, using a server processor 104 coupled to memory, a request message may be received from a user's communication device processor 100 consisting at least in part of a session key encrypted with a public key of a public/private key pair without sending a private key of the public/private key pair to, or storing the private key on, the user's communication device 100.
Referring further to FIG. 4, at 402, also using the server processor 104, the request message may be decrypted with a private key of the public/private key pair and the decrypted session key may be retrieved from the decrypted request message. At 403, likewise using the server processor 104, a response message may be generated and encrypted with the retrieved session key, and at 404, the session key-encrypted response message may be sent to the user's communication device processor 100 similarly using the server processor 104.
It is to be understood that embodiments of the invention may be implemented as processes of a computer program product, each process of which is operable on one or more processors either alone on a single physical platform, such as a personal computer, or across a plurality of platforms, such as a system or network, including networks such as the Internet, an intranet, a Wide Area Network (WAN), a Local Area Network (LAN), a cellular network, or any other suitable network.
Embodiments of the invention may employ client devices that may each comprise a computer-readable medium, including but not limited to, Random Access Memory (RAM) coupled to a processor. The processor may execute computer-executable program instructions stored in memory. Such processors may include, but are not limited to, a microprocessor, an Application Specific Integrated Circuit (ASIC), and or state machines. Such processors may comprise, or may be in communication with, media, such as computer-readable media, which stores instructions that, when executed by the processor, cause the processor to perform one or more of the steps described herein.
It is also to be understood that such computer-readable media may include, but are not limited to, electronic, optical, magnetic, RFID, or other storage or transmission device capable of providing a processor with computer-readable instructions. Other examples of suitable media include, but are not limited to, CD-ROM, DVD, magnetic disk, memory chip, ROM, RAM, ASIC, a configured processor, optical media, magnetic media, or any other suitable medium from which a computer processor can read instructions.
Embodiments of the invention may employ other forms of such computer-readable media to transmit or carry instructions to a computer, including a router, private or public network, or other transmission device or channel, both wired or wireless. Such instructions may comprise code from any suitable computer programming language including, without limitation, C, C++, C#, Visual Basic, Java, Python, Perl, and JavaScript.
It is to be further understood that client devices that may be employed by embodiments of the invention may also comprise a number of external or internal devices, such as a mouse, a CD-ROM, DVD, keyboard, display, or other input or output devices. In general such client devices may be any suitable type of processor-based platform that is connected to a network and that interacts with one or more application programs and may operate on any suitable operating system.
Server devices may also be coupled to the network and, similarly to client devices, such server devices may comprise a processor coupled to a computer-readable medium, such as a RAM. Such server devices, which may be a single computer system, may also be implemented as a network of computer processors. Examples of such server devices are servers, mainframe computers, networked computers, a processor-based device, and similar types of systems and devices.

Claims (13)

What is claimed is:
1. A method for secure electronic communication between a client application processor and a server processor, comprising:
generating, using a server processor coupled to memory, a client application public/private key pair and storing the client application public/private key pair on a physical hardware security module without sending a client application private key to, or storing the client application private key on, a user's communication device;
receiving, using the server processor, a request message from a user's communication device processor consisting at least in part of a session key encrypted with the client application public key of the public/private key pair;
retrieving, using the server processor, the client application private key of the public/private key pair stored on the physical hardware security module;
decrypting, using the server processor, the request message with the client application private key of the public/private key pair and retrieving the decrypted session key from the decrypted request message;
generating, using the server processor, a response message and encrypting the response message with the retrieved session key; and
sending, using the server processor, the session key-encrypted response message to the user's communication device processor.
2. The method of claim 1, wherein receiving the request message further comprises receiving the request message from the user's communication device processor consisting at least in part of the session key and user authentication credentials encrypted with the client application public key of the public/private key pair.
3. The method of claim 1, wherein receiving the request message further comprises receiving the request message from the user's communication device processor consisting at least in part of the session key and a user password encrypted with the client application public key of the public/private key pair.
4. The method of claim 3, wherein receiving the request message further comprises receiving the request message consisting at least in part of the session key appended with the user password and encrypted with the client application public key of the public/private key pair.
5. The method of claim 1, wherein receiving the request message consisting at least in part of the session key encrypted with the client application public key further comprises receiving the request message consisting at least in part of the session key generated by a client application on the user's communication device processor and encrypted with the client application public key of the public/private key pair.
6. The method of claim 1, wherein receiving the request message consisting at least in part of the session key generated by the client application and encrypted with the client application public key of the public/private key pair further comprises receiving the request message consisting at least in part of a session-specific random number generated by the client application on the user's communication device processor and encrypted with the client application public key of the public/private key.
7. The method of claim 6, wherein receiving the request message consisting at least in part of the session-specific random number generated by the client application on the user's communication device processor and encrypted with the client application public key of the public/private key pair further comprises receiving the request message consisting at least in part of a 128-bit session-specific random number generated by the client application on the user's communication device processor and encrypted with the client application public key of the public/private key pair.
8. The method of claim 1, wherein receiving the request message further comprises receiving the request message from the user's communication device processor consisting at least in part of a session key and a login request encrypted with the client application public key of the public/private key pair.
9. The method of claim 1, wherein retrieving the decrypted session key from the decrypted request message further comprises retrieving the decrypted session key that was generated by a client application on the user's communication device processor and encrypted with the client application public key of the public/private key pair.
10. The method of claim 1, wherein generating and encrypting the response message further comprise generating a log-in response message and encrypting the log-in response message with the retrieved session key.
11. The method of claim 1, wherein sending the session key-encrypted response message further comprises sending the session key-encrypted response message to a client application on the processor of the user's communication device encrypted with the session key generated and stored by the client application in volatile memory on the user's communication device.
12. A machine for secure electronic communication, comprising:
a server processor coupled to memory, the server processor being programmed for:
generating a client application public/private key pair and storing the client application public/private key pair on a physical hardware security module without sending a client application private key to, or storing the client application private key on, a user's communication device;
receiving a request message from a user's communication device processor consisting at least in part of a session key encrypted with the client application public key of the public/private key pair;
retrieving, using the server processor, the client application private key of the public/private key pair stored on the physical hardware security module;
decrypting the request message with the client application private key of the public/private key pair and retrieving the decrypted session key from the decrypted request message;
generating a response message and encrypting the response message with the retrieved session key; and
sending the session key-encrypted response message to the processor of the user's communication device.
13. A non-transitory computer-readable storage medium with an executable program stored thereon, wherein the program instructs a server processor to perform the following steps:
generate a client application public/private key pair and storing the client application public/private key pair on a physical hardware security module without sending a client application private key to, or storing the client application private key on, a user's communication device;
receive a request message from a user's communication device processor consisting at least in part of a session key encrypted with the client application public key of the public/private key pair;
retrieve the client application private key of the public/private key pair stored on the physical hardware security module;
decrypt the request message with the client application private key of the public/private key pair and retrieve the decrypted session key from the decrypted request message;
generate a response message and encrypt the response message with the retrieved session key; and
send the session key-encrypted response message to the processor of the user's communication device.
US13/973,173 2013-08-22 2013-08-22 Methods and systems for secure electronic communication Active US8745394B1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US13/973,173 US8745394B1 (en) 2013-08-22 2013-08-22 Methods and systems for secure electronic communication

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
US13/973,173 US8745394B1 (en) 2013-08-22 2013-08-22 Methods and systems for secure electronic communication

Publications (1)

Publication Number Publication Date
US8745394B1 true US8745394B1 (en) 2014-06-03

Family

ID=50781414

Family Applications (1)

Application Number Title Priority Date Filing Date
US13/973,173 Active US8745394B1 (en) 2013-08-22 2013-08-22 Methods and systems for secure electronic communication

Country Status (1)

Country Link
US (1) US8745394B1 (en)

Cited By (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8904195B1 (en) * 2013-08-21 2014-12-02 Citibank, N.A. Methods and systems for secure communications between client applications and secure elements in mobile devices
US9270449B1 (en) * 2014-01-17 2016-02-23 Amazon Technologies, Inc. Secured communication in network environments
EP3032858A1 (en) * 2014-12-12 2016-06-15 GN Resound A/S Apparatus for secure hearing device communication and related method
EP3032857A1 (en) * 2014-12-12 2016-06-15 GN Resound A/S Hearing device with communication protection and related method
US9503437B2 (en) 2014-12-12 2016-11-22 Gn Resound A/S Apparatus for secure hearing device communication and related method
US20170034133A1 (en) * 2015-07-28 2017-02-02 International Business Machines Corporation User authentication over networks
US9608807B2 (en) 2014-12-12 2017-03-28 Gn Hearing A/S Hearing device with communication protection and related method
KR101798022B1 (en) 2016-05-26 2017-11-16 충남대학교산학협력단 Method and apparatus for executing programs using trusted platform module
US9882900B2 (en) 2014-06-26 2018-01-30 Amazon Technologies, Inc. Mutual authentication with symmetric secrets and signatures
US10122692B2 (en) 2015-06-16 2018-11-06 Amazon Technologies, Inc. Handshake offload
US10122689B2 (en) 2015-06-16 2018-11-06 Amazon Technologies, Inc. Load balancing with handshake offload
US10826875B1 (en) * 2016-07-22 2020-11-03 Servicenow, Inc. System and method for securely communicating requests
EP3493464B1 (en) 2015-07-02 2020-12-02 GN Hearing A/S Client device with certificate and related method
US10990356B2 (en) * 2019-02-18 2021-04-27 Quantum Lock Technologies LLC Tamper-resistant smart factory
CN113518078A (en) * 2021-06-01 2021-10-19 中国铁道科学研究院集团有限公司 Cross-network data sharing method, information demander, information provider and system
US11218472B2 (en) 2019-07-01 2022-01-04 Steve Rosenblatt Methods and systems to facilitate establishing a connection between an access-seeking device and an access granting device
CN115361222A (en) * 2022-08-26 2022-11-18 杭州安司源科技有限公司 Communication processing method, device and system
US11757629B2 (en) * 2019-07-23 2023-09-12 Mastercard International Incorporated Methods and computing devices for auto-submission of user authentication credential

Citations (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080046731A1 (en) 2006-08-11 2008-02-21 Chung-Ping Wu Content protection system
US7443985B2 (en) 2002-06-28 2008-10-28 Microsoft Corporation Systems and methods for providing secure server key operations
US20090106551A1 (en) * 2006-04-25 2009-04-23 Stephen Laurence Boren Dynamic distributed key system and method for identity management, authentication servers, data security and preventing man-in-the-middle attacks
US20090103726A1 (en) 2007-10-18 2009-04-23 Nabeel Ahmed Dual-mode variable key length cryptography system
WO2009133544A1 (en) 2008-05-02 2009-11-05 Markport Limited A messaging device and server system
US20100131756A1 (en) 2008-11-26 2010-05-27 James Paul Schneider Username based authentication and key generation
US20100197326A1 (en) 2006-10-19 2010-08-05 Duc Anh Ngo interactive system and process
US20100217979A1 (en) * 2005-12-19 2010-08-26 Karim Yaghmour System and Method for Providing Certified Proof of Delivery Receipts for Electronic Mail
US20120023336A1 (en) 2009-12-10 2012-01-26 Vijayarangan Natarajan System and method for designing secure client-server communication protocols based on certificateless public key infrastructure
US8135954B2 (en) 2004-12-20 2012-03-13 Motorola Mobility, Inc. Distributed digital signature generation
US20120079585A1 (en) * 2006-04-14 2012-03-29 Microsoft Corporation Proxy authentication and indirect certificate chaining
US20120101951A1 (en) 2010-10-22 2012-04-26 Michael Li Method and System for Secure Financial Transactions Using Mobile Communications Devices
US20120131661A1 (en) 2010-11-22 2012-05-24 Microsoft Corporation Back-end constrained delegation model
US20120155647A1 (en) 2010-12-21 2012-06-21 General Instrument Corporation Cryptographic devices & methods
US20120159150A1 (en) * 2000-08-25 2012-06-21 Research In Motion Limited System and method for implementing an enhanced transport layer security protocol
US20120170740A1 (en) 2011-01-05 2012-07-05 Electronics And Telecommunications Research Institute Content protection apparatus and content encryption and decryption apparatus using white-box encryption table
US8307208B2 (en) 2008-06-04 2012-11-06 Panasonic Corporation Confidential communication method
US20130007456A1 (en) 2009-07-15 2013-01-03 Research In Motion Limited System and method for exchanging key generation parameters for secure communications
US20130124866A1 (en) 2011-11-15 2013-05-16 Apple Inc. Client-server system with security for untrusted server

Patent Citations (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120159150A1 (en) * 2000-08-25 2012-06-21 Research In Motion Limited System and method for implementing an enhanced transport layer security protocol
US7443985B2 (en) 2002-06-28 2008-10-28 Microsoft Corporation Systems and methods for providing secure server key operations
US8135954B2 (en) 2004-12-20 2012-03-13 Motorola Mobility, Inc. Distributed digital signature generation
US20100217979A1 (en) * 2005-12-19 2010-08-26 Karim Yaghmour System and Method for Providing Certified Proof of Delivery Receipts for Electronic Mail
US20120079585A1 (en) * 2006-04-14 2012-03-29 Microsoft Corporation Proxy authentication and indirect certificate chaining
US20090106551A1 (en) * 2006-04-25 2009-04-23 Stephen Laurence Boren Dynamic distributed key system and method for identity management, authentication servers, data security and preventing man-in-the-middle attacks
US20080046731A1 (en) 2006-08-11 2008-02-21 Chung-Ping Wu Content protection system
US20100197326A1 (en) 2006-10-19 2010-08-05 Duc Anh Ngo interactive system and process
US20090103726A1 (en) 2007-10-18 2009-04-23 Nabeel Ahmed Dual-mode variable key length cryptography system
WO2009133544A1 (en) 2008-05-02 2009-11-05 Markport Limited A messaging device and server system
US8307208B2 (en) 2008-06-04 2012-11-06 Panasonic Corporation Confidential communication method
US20100131756A1 (en) 2008-11-26 2010-05-27 James Paul Schneider Username based authentication and key generation
US20130007456A1 (en) 2009-07-15 2013-01-03 Research In Motion Limited System and method for exchanging key generation parameters for secure communications
US20120023336A1 (en) 2009-12-10 2012-01-26 Vijayarangan Natarajan System and method for designing secure client-server communication protocols based on certificateless public key infrastructure
US20120101951A1 (en) 2010-10-22 2012-04-26 Michael Li Method and System for Secure Financial Transactions Using Mobile Communications Devices
US20120131661A1 (en) 2010-11-22 2012-05-24 Microsoft Corporation Back-end constrained delegation model
US20120155647A1 (en) 2010-12-21 2012-06-21 General Instrument Corporation Cryptographic devices & methods
US20120170740A1 (en) 2011-01-05 2012-07-05 Electronics And Telecommunications Research Institute Content protection apparatus and content encryption and decryption apparatus using white-box encryption table
US20130124866A1 (en) 2011-11-15 2013-05-16 Apple Inc. Client-server system with security for untrusted server

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
Abusukhon, A. et al., "A Novel Network Security Algorithm Based on Private Key Encryption," Conference on Cyber Security Cyber Warfare and Digital Forensic (Cybersec), 2012 International, Jun. 26-28, 2012, pp. 33-37.
IP.Com et al., "Auto-Generation of Encrypted Key at Both the Client Side and the Server Side," IP.Com Prior Art Database IPCOM000205360D, Mar. 28, 2011, pp. 1-3.
Smith, et al, "Secure Mobile Communication Via Identity-Based Cryptography and Server-Aided Computations," Journal of Supercomputing, Aug. 31, 2009, pp. 1-20.

Cited By (32)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8904195B1 (en) * 2013-08-21 2014-12-02 Citibank, N.A. Methods and systems for secure communications between client applications and secure elements in mobile devices
US9270449B1 (en) * 2014-01-17 2016-02-23 Amazon Technologies, Inc. Secured communication in network environments
US10574443B2 (en) 2014-01-17 2020-02-25 Amazon Technologies, Inc. Secured communication in network environments
US10375067B2 (en) 2014-06-26 2019-08-06 Amazon Technologies, Inc. Mutual authentication with symmetric secrets and signatures
US9882900B2 (en) 2014-06-26 2018-01-30 Amazon Technologies, Inc. Mutual authentication with symmetric secrets and signatures
EP3609210A1 (en) * 2014-12-12 2020-02-12 GN Hearing A/S Hearing aid with communication protection and related method
US10154059B2 (en) 2014-12-12 2018-12-11 Gn Hearing A/S Hearing device with communication protection and related method
US11284249B2 (en) 2014-12-12 2022-03-22 Gn Hearing A/S Apparatus for secure hearing device communication and related method
EP3716670A1 (en) * 2014-12-12 2020-09-30 GN Hearing A/S Apparatus for secure hearing device communication and related method
US9503437B2 (en) 2014-12-12 2016-11-22 Gn Resound A/S Apparatus for secure hearing device communication and related method
US10027474B2 (en) 2014-12-12 2018-07-17 Gn Hearing A/S Hearing device with communication protection and related method
US10045207B2 (en) 2014-12-12 2018-08-07 Gn Hearing A/S Apparatus for secure hearing device communication and related method
US10681082B2 (en) 2014-12-12 2020-06-09 Gn Hearing A/S Hearing device with communication protection and related method
US10595197B2 (en) 2014-12-12 2020-03-17 Gn Hearing A/S Apparatus for secure hearing device communication and related method
US9608807B2 (en) 2014-12-12 2017-03-28 Gn Hearing A/S Hearing device with communication protection and related method
EP3032858B1 (en) 2014-12-12 2020-03-04 GN Hearing A/S Apparatus for secure hearing device communication and related method
EP3032857A1 (en) * 2014-12-12 2016-06-15 GN Resound A/S Hearing device with communication protection and related method
EP3032857B1 (en) 2014-12-12 2019-09-18 GN Hearing A/S Hearing device with communication protection and related method
EP3032858A1 (en) * 2014-12-12 2016-06-15 GN Resound A/S Apparatus for secure hearing device communication and related method
US10122689B2 (en) 2015-06-16 2018-11-06 Amazon Technologies, Inc. Load balancing with handshake offload
US10122692B2 (en) 2015-06-16 2018-11-06 Amazon Technologies, Inc. Handshake offload
EP3493464B1 (en) 2015-07-02 2020-12-02 GN Hearing A/S Client device with certificate and related method
US10263962B2 (en) * 2015-07-28 2019-04-16 International Business Machines Corporation User authentication over networks
US20170034133A1 (en) * 2015-07-28 2017-02-02 International Business Machines Corporation User authentication over networks
US9674158B2 (en) * 2015-07-28 2017-06-06 International Business Machines Corporation User authentication over networks
KR101798022B1 (en) 2016-05-26 2017-11-16 충남대학교산학협력단 Method and apparatus for executing programs using trusted platform module
US10826875B1 (en) * 2016-07-22 2020-11-03 Servicenow, Inc. System and method for securely communicating requests
US10990356B2 (en) * 2019-02-18 2021-04-27 Quantum Lock Technologies LLC Tamper-resistant smart factory
US11218472B2 (en) 2019-07-01 2022-01-04 Steve Rosenblatt Methods and systems to facilitate establishing a connection between an access-seeking device and an access granting device
US11757629B2 (en) * 2019-07-23 2023-09-12 Mastercard International Incorporated Methods and computing devices for auto-submission of user authentication credential
CN113518078A (en) * 2021-06-01 2021-10-19 中国铁道科学研究院集团有限公司 Cross-network data sharing method, information demander, information provider and system
CN115361222A (en) * 2022-08-26 2022-11-18 杭州安司源科技有限公司 Communication processing method, device and system

Similar Documents

Publication Publication Date Title
US8745394B1 (en) Methods and systems for secure electronic communication
CN109088889B (en) SSL encryption and decryption method, system and computer readable storage medium
US9917829B1 (en) Method and apparatus for providing a conditional single sign on
US8538020B1 (en) Hybrid client-server cryptography for network applications
US9330245B2 (en) Cloud-based data backup and sync with secure local storage of access keys
US9852300B2 (en) Secure audit logging
US11102191B2 (en) Enabling single sign-on authentication for accessing protected network services
US11676133B2 (en) Method and system for mobile cryptocurrency wallet connectivity
US9973481B1 (en) Envelope-based encryption method
US8904195B1 (en) Methods and systems for secure communications between client applications and secure elements in mobile devices
US9219722B2 (en) Unclonable ID based chip-to-chip communication
US9621524B2 (en) Cloud-based key management
US10007797B1 (en) Transparent client-side cryptography for network applications
US20160373414A1 (en) Handshake offload
US20140096213A1 (en) Method and system for distributed credential usage for android based and other restricted environment devices
US11546321B2 (en) Non-custodial tool for building decentralized computer applications
JP2019502286A (en) Key exchange through partially trusted third parties
US10033703B1 (en) Pluggable cipher suite negotiation
US10122689B2 (en) Load balancing with handshake offload
US8583911B1 (en) Network application encryption with server-side key management
US10257171B2 (en) Server public key pinning by URL
US11005828B1 (en) Securing data at rest
Dey et al. Message digest as authentication entity for mobile cloud computing
Zmezm et al. A Novel Scan2Pass Architecture for Enhancing Security towards E-Commerce
US11539671B1 (en) Authentication scheme in a virtual private network

Legal Events

Date Code Title Description
AS Assignment

Owner name: CITIBANK, N.A., NEW YORK

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:RAHAT, SYED;BROWNING, WAYNE;SIGNING DATES FROM 20130819 TO 20130821;REEL/FRAME:031062/0143

STCF Information on status: patent grant

Free format text: PATENTED CASE

FPAY Fee payment

Year of fee payment: 4

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 8TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1552); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment: 8